sslglassfishlets-encryptglassfish-4.1

How to install letsencrypt free ssl to glassfish 4.x server

I have scanned SO and found there is no detailed instructions on how to install letsencrypt.org SSL certificate on glassfish and specifically in this tutorial I will be using glassfish 4.1.2 build 1. After a lot of trial and error, I was able to put together the following guide. So I hope that it is fine to ask and answer my own question.

In this tutorial I shall be using an Ubuntu 16.04 LTS Server with Shell access from my Ubuntu 16.04 LTS desktop.

Solution

  • visit certbot and follow the instructions below to setup your system

    Install

    On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you'll need to do is apt-get the following packages.

    $ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

    Get Started

    Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate.

    $ sudo certbot certonly

    terminal will output

    Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

    We select the 1st option key in 1 and press enter

    terminal will output

    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com

    terminal will output

    Select the webroot for yoursite.com:


1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot

Select the webroot for www.yoursite.com:


1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

    terminal will output

    IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
   expire on 2017-08-21. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

    Automating renewal

    The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

    certbot renew --dry-run

    make the following script can automate importing certificate to glassfish

    for further reading

    https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711

    Now we import the certificates. Make the following script and save it as yourscriptname.sh to automate the process then run it with the command 

    $ sh yourscriptname.sh

#!/bin/sh

DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN

mkdir etc
cd etc

sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW

sudo cp -f keystore.jks $GFDOMAIN/config/

sudo service glassfish stop
sudo service glassfish start

cd ..
sudo rm -rf etc

    if you need to change the keystore password

    Use keytool command. If it doesn't work you might have to cd to the path where it's located in your glassfish-install-dir/glassfish/domains/domain1/config directory and run the command in that directory.

    keytool -storepasswd -keystore /path/to/keystore
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

    After successfully importing the certs and restarting glassfish server, SSL worked with the installed web application but unfortunately I was not able to log into the glassfish admin console from the browser, though the asadmin tool still worked.

    solving unable to login to admin console after above changes

    We need to add wget command to our script to download the most Recent CA file revisions per date of apperance from recent trusted ca revisions from mozilla

    Add the following to the the yourname.sh script just above the command sudo service glassfish stop to fix the problem.

    wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem

PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks

CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

for N in $(seq 0 $(($CERTS -1))); do
    ALIAS="${PEM_FILE%.*}-$N"
    cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW

if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks

cd ..

echo stop and restart glassfish domain to complete

cd ..
sudo rm -rf etc

    I hope this helps someone cheers all!